File name:	41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe
Full analysis:	https://app.any.run/tasks/28a70d0e-e313-4bec-af64-39869ec54ebf
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 10, 2025, 20:39:53
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	amadey botnet stealer loader lumma themida auto stealc netreactor rdp
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	0A7F88A22AE393BE6AAF81E99911559E
SHA1:	618BD53DCB394611C6EE90199ABE534D40DD6958
SHA256:	41877F9E09AAE067DC58C6B1E29DA9D93F0773B742F1E59E6175FE57DDF052AE
SSDEEP:	98304:8+7IIYN3A1dUKW83me3qNNW0DVU3aNkHTdvqlG9ehlzEJAuufVuVHvzULQkHYJLP:VkTb8

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:07:25 12:10:38+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.24
CodeSize:	321024
InitializedDataSize:	104960
UninitializedDataSize:	-
EntryPoint:	0x32b000
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI


(PID) Process:	(5096) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5096) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5096) axplong.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2996) defnur.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2996) defnur.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2996) defnur.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(5316) 696969.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5316) 696969.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5316) 696969.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
1328	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_legs.exe_b69dcd31991ac936315188b4a52a885c5ebfec_fdf40bfd_e89d49c0-6286-4fc8-8731-48d80fc2740f\Report.wer		—
		MD5:—	SHA256:—
1328	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\legs.exe.4556.dmp		—
		MD5:—	SHA256:—
1348	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_696969.exe_b364b07473c6281ded8b432832f7dffc980d0_d85faf26_a2a88736-f325-4d53-a734-79623dcc16f2\Report.wer		—
		MD5:—	SHA256:—
5864	41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe	C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe		executable
		MD5:0A7F88A22AE393BE6AAF81E99911559E	SHA256:41877F9E09AAE067DC58C6B1E29DA9D93F0773B742F1E59E6175FE57DDF052AE
5864	41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe	C:\Windows\Tasks\axplong.job		binary
		MD5:D446F281DFEBA704B5320A0013F90407	SHA256:14BC0492B14E482FD4D09B3AEA9CE72C69916C1FC623564FDED6F2AB82936503
5268	am209.exe	C:\Windows\Tasks\defnur.job		binary
		MD5:90BB6E0DD851EA0D50E416EF6D42E49C	SHA256:BE277E49A8A5307E2B5A7DD1EAFF0FCA01290A11DA223DCE17F499CB6F8874C9
5096	axplong.exe	C:\Users\admin\AppData\Local\Temp\1001527001\legs.exe		executable
		MD5:A2697E928936F05710DFB331F982C917	SHA256:2854E22091C01A1C1A9B654D7305EC7BEB0BCC703E161DBEF06AF7D9C401495B
5096	axplong.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\am209[1].exe		executable
		MD5:CE27255F0EF33CE6304E54D171E6547C	SHA256:82C683A7F6E0B4A99A6D3AB519D539A3B0651953C7A71F5309B9D08E4DAA7C3C
5268	am209.exe	C:\Users\admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe		executable
		MD5:CE27255F0EF33CE6304E54D171E6547C	SHA256:82C683A7F6E0B4A99A6D3AB519D539A3B0651953C7A71F5309B9D08E4DAA7C3C
1328	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8F5.tmp.dmp		binary
		MD5:10DD4789E29A610D920E179A6065F235	SHA256:9E9E1566D184B80B11AAE2B7665637277B3E1F871C8D46CCED0CAAA79F36F818

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3296	svchost.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3296	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5096	axplong.exe	POST	200	185.215.113.16:80	http://185.215.113.16/Jo89Ku7d/index.php	unknown	—	—	malicious
5096	axplong.exe	GET	200	185.215.113.16:80	http://185.215.113.16/test/am209.exe	unknown	—	—	malicious
5096	axplong.exe	GET	200	185.215.113.16:80	http://185.215.113.16/inc/legs.exe	unknown	—	—	malicious
5096	axplong.exe	POST	200	185.215.113.16:80	http://185.215.113.16/Jo89Ku7d/index.php	unknown	—	—	malicious
5096	axplong.exe	POST	200	185.215.113.16:80	http://185.215.113.16/Jo89Ku7d/index.php	unknown	—	—	malicious
5096	axplong.exe	GET	200	185.215.113.16:80	http://185.215.113.16/inc/696969.exe	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3296	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3296	svchost.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3296	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4712	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5096	axplong.exe	185.215.113.16:80	—	1337team Limited	SC	malicious

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
pancakedipyps.click	—	malicious
nearycrepso.shop	—	malicious
abruptyopsn.shop	—	malicious
wholersorie.shop	—	malicious
framekgirus.shop	—	malicious
tirepublicerj.shop	—	malicious

PID	Process	Class	Message
5096	axplong.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
5096	axplong.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
5096	axplong.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
5096	axplong.exe	Misc activity	ET INFO Packed Executable Download
5096	axplong.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
5096	axplong.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
5096	axplong.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
5096	axplong.exe	A Network Trojan was detected	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2
5096	axplong.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
2192	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop)

Process	Message
41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe	%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------

General Info

41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe

0A7F88A22AE393BE6AAF81E99911559E

618BD53DCB394611C6EE90199ABE534D40DD6958

41877F9E09AAE067DC58C6B1E29DA9D93F0773B742F1E59E6175FE57DDF052AE

98304:8+7IIYN3A1dUKW83me3qNNW0DVU3aNkHTdvqlG9ehlzEJAuufVuVHvzULQkHYJLP:VkTb8

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

AMADEY mutex has been found

Connects to the CnC server

AMADEY has been detected (SURICATA)

AMADEY has been found (auto)

AMADEY has been detected (YARA)

LUMMA has been detected (SURICATA)

STEALER has been found (auto)

StealC has been detected

LUMMA mutex has been found

LUMMA has been detected (YARA)

STEALC has been detected (YARA)

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

Reads the BIOS version

Reads security settings of Internet Explorer

Starts itself from another location

Executable content was dropped or overwritten

Contacting a server suspected of hosting an CnC

Potential Corporate Privacy Violation

Process requests binary or script from the Internet

Connects to the server without a host name

Executes application which crashes

Application launched itself

Windows Defender mutex has been found

There is functionality for enable RDP (YARA)

Searches for installed software

The process executes via Task Scheduler

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Sends debugging messages

Process checks computer location settings

Checks proxy server information

The process uses the downloaded file

Creates files or folders in the user directory

Reads the software policy settings

Reads the machine GUID from the registry

Themida protector has been detected

.NET Reactor protector has been detected

Reads Environment values

Reads product name

Reads CPU info

Malware configuration

Amadey

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration